On April 2, 2024, the Enforcement Division of the California Privacy Protection Agency (CPPA) issued Enforcement Advisory No. 2024-01. This first-ever enforcement advisory focuses on promoting compliance with California Consumer Privacy Act (CCPA) data minimization obligations related to consumer requests.
Specifically, the enforcement recommendations are as follows:
- Emphasizes that data minimization is a fundamental principle of the CCPA and requires covered businesses to apply this principle to all purposes for which they collect, use, retain, and share the personal information of California consumers. I have repeatedly stated that there is.
- Clarify that data minimization principles apply to the processing of consumer requests.
- We find that some businesses are asking consumers to provide unnecessary and excessive amounts of personal information in order to authorize or respond to consumer requests made under the CCPA.
- Examples of how companies can strengthen their data minimization practices to avoid potential enforcement actions.
CPPA Secretary-General Ashkan Soltani said that while educating the public about their rights, affected businesses should heed the guidance in the advisory.[v]Strict enforcement is part of this [the agency’s] Mission…”
Data minimization
The concept of data minimization stems from the idea that businesses should only collect consumers' personal information to the extent necessary to accomplish a specific legal business purpose. Data minimization has many important benefits, including reducing the risk of harm from a data breach and reducing the time it takes to respond to a consumer request to access or delete a consumer's personal information. functions.
When does data minimization apply to consumer requests?
The Recommendation clarifies that data minimization is a fundamental principle of the CCPA and applies to covered entities' processing of CCPA-governed personal information, including the processing of consumer CCPA requests.
This advisory highlights some of the less obvious situations in which data minimization applies under the CCPA, stating that companies should not collect “more than necessary” to meet consumer requests. It is emphasized that there is no. Specifically, data minimization applies to:
- Processing of Consumer Opt-Out Preference Signals.
- Request to opt out of having your data sold or shared.
- Requests regarding the use or disclosure of sensitive personal information.
- Identification.
Possible business scenarios and how to respond to them
This advisory outlines two situations in which companies may encounter data minimization principles and provides guidance on how to respond in both cases.
First, if a covered business receives a consumer request to opt out of the sale or sharing of personal information and is unsure how much personal information the business needs to collect to process the request; The CPPA states that a business may not (1) require; A consumer must verify his or her identity to make such a request, but (2) may ask the consumer for information necessary to complete the request, so long as the process is not burdensome; For example, while businesses can ask consumers for their name if necessary to complete the request, businesses typically ask consumers for a photo of themselves with a driver's license to exercise their CCPA opt-out rights. You shouldn't be asked to send it.
Second, if the business in question needs to verify the consumer's identity in order to respond to a request such as deletion of personal information, and the consumer in question does not have an account with that business. , the Institute of Certified Public Accountants recommends that businesses establish the following reasonable methods. The CCPA rules address verification, prioritizing data minimization, and verifying that the person making the request is the consumer whose information the business has collected. This method should not include collecting information that is disproportionate or excessive compared to the information the business collects from consumers.
For example, if the information to be removed is a name and email address, the business should consider the degree of certainty required to verify the consumer's identity, the sensitivity of the information to be removed, and the risk of harm. is needed. Due to unauthorized deletion.
In general, if a business is unsure what information is appropriate to collect when responding to a consumer request, it should consider the following questions that reflect concepts established under the CCPA: there is.
- What is the minimum amount of personal information required for our business to respond to consumer requests?
- If I already have certain personal information from this consumer, do I need to request more information?
- What adverse effects may result from collecting additional personal information? Could additional safeguards be taken to address these possible adverse effects?
- Is the document or photo on file sensitive information that needs to warrant a more rigorous verification process than simply requesting an email address?
- What are the risks to consumers of harm if they act on fraudulent requests?
- Is it disproportionate and excessive to require certain types of information to validate a request?
conclusion
Covered businesses should carefully consider whether they are applying data minimization principles in good faith to the collection, use, retention, and sharing of consumers' personal information when responding to consumer requests. . The benefits of regularly reviewing data minimization practices include reducing exposure to enforcement-related risks and improving data governance.
Download PDF
[View source.]